A new user interface for you! Read more...

File revert-7431b3eb.patch of Package libvirt

commit f6c5babbbf831b9ea2fdcfc783b5fd998bf8ffdd
Author: Jim Fehlig <jfehlig@suse.com>
Date:   Thu Apr 25 09:15:00 2019 -0600

    Revert "util: move virtual network firwall rules into private chains"
    
    This reverts commit 7431b3eb9a05068e4ba05d0bb236b440b33eb1ab.
    
    See bsc#1133229

Index: libvirt-5.1.0/src/libvirt_private.syms
===================================================================
--- libvirt-5.1.0.orig/src/libvirt_private.syms
+++ libvirt-5.1.0/src/libvirt_private.syms
@@ -2087,7 +2087,6 @@ iptablesRemoveOutputFixUdpChecksum;
 iptablesRemoveTcpInput;
 iptablesRemoveUdpInput;
 iptablesRemoveUdpOutput;
-iptablesSetDeletePrivate;
 iptablesSetupPrivateChains;
 
 
Index: libvirt-5.1.0/src/network/bridge_driver_linux.c
===================================================================
--- libvirt-5.1.0.orig/src/network/bridge_driver_linux.c
+++ libvirt-5.1.0/src/network/bridge_driver_linux.c
@@ -35,35 +35,17 @@ VIR_LOG_INIT("network.bridge_driver_linu
 
 #define PROC_NET_ROUTE "/proc/net/route"
 
-int networkPreReloadFirewallRules(bool startup)
+int networkPreReloadFirewallRules(bool startup ATTRIBUTE_UNUSED)
 {
     int ret = iptablesSetupPrivateChains();
     if (ret < 0)
         return -1;
-
-    /*
-     * If this is initial startup, and we just created the
-     * top level private chains we either
-     *
-     *   - upgraded from old libvirt
-     *   - freshly booted from clean state
-     *
-     * In the first case we must delete the old rules from
-     * the built-in chains, instead of our new private chains.
-     * In the second case it doesn't matter, since no existing
-     * rules will be present. Thus we can safely just tell it
-     * to always delete from the builin chain
-     */
-    if (startup && ret == 1)
-        iptablesSetDeletePrivate(false);
-
     return 0;
 }
 
 
 void networkPostReloadFirewallRules(bool startup ATTRIBUTE_UNUSED)
 {
-    iptablesSetDeletePrivate(true);
 }
 
 
Index: libvirt-5.1.0/src/util/viriptables.c
===================================================================
--- libvirt-5.1.0.orig/src/util/viriptables.c
+++ libvirt-5.1.0/src/util/viriptables.c
@@ -48,7 +48,6 @@ enum {
     REMOVE
 };
 
-static bool deletePrivate = true;
 
 typedef struct {
     const char *parent;
@@ -180,17 +179,9 @@ iptablesSetupPrivateChains(void)
 }
 
 
-void
-iptablesSetDeletePrivate(bool pvt)
-{
-    deletePrivate = pvt;
-}
-
-
 static void
 iptablesInput(virFirewallPtr fw,
               virFirewallLayer layer,
-              bool pvt,
               const char *iface,
               int port,
               int action,
@@ -203,8 +194,7 @@ iptablesInput(virFirewallPtr fw,
 
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
-                       action == ADD ? "--insert" : "--delete",
-                       pvt ? "LIBVIRT_INP" : "INPUT",
+                       action == ADD ? "--insert" : "--delete", "INPUT",
                        "--in-interface", iface,
                        "--protocol", tcp ? "tcp" : "udp",
                        "--destination-port", portstr,
@@ -215,7 +205,6 @@ iptablesInput(virFirewallPtr fw,
 static void
 iptablesOutput(virFirewallPtr fw,
                virFirewallLayer layer,
-               bool pvt,
                const char *iface,
                int port,
                int action,
@@ -228,8 +217,7 @@ iptablesOutput(virFirewallPtr fw,
 
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
-                       action == ADD ? "--insert" : "--delete",
-                       pvt ? "LIBVIRT_OUT" : "OUTPUT",
+                       action == ADD ? "--insert" : "--delete", "OUTPUT",
                        "--out-interface", iface,
                        "--protocol", tcp ? "tcp" : "udp",
                        "--destination-port", portstr,
@@ -252,7 +240,7 @@ iptablesAddTcpInput(virFirewallPtr fw,
                     const char *iface,
                     int port)
 {
-    iptablesInput(fw, layer, true, iface, port, ADD, 1);
+    iptablesInput(fw, layer, iface, port, ADD, 1);
 }
 
 /**
@@ -270,7 +258,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw
                        const char *iface,
                        int port)
 {
-    iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 1);
+    iptablesInput(fw, layer, iface, port, REMOVE, 1);
 }
 
 /**
@@ -288,7 +276,7 @@ iptablesAddUdpInput(virFirewallPtr fw,
                     const char *iface,
                     int port)
 {
-    iptablesInput(fw, layer, true, iface, port, ADD, 0);
+    iptablesInput(fw, layer, iface, port, ADD, 0);
 }
 
 /**
@@ -306,7 +294,7 @@ iptablesRemoveUdpInput(virFirewallPtr fw
                        const char *iface,
                        int port)
 {
-    iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 0);
+    return iptablesInput(fw, layer, iface, port, REMOVE, 0);
 }
 
 /**
@@ -324,7 +312,7 @@ iptablesAddUdpOutput(virFirewallPtr fw,
                      const char *iface,
                      int port)
 {
-    iptablesOutput(fw, layer, true, iface, port, ADD, 0);
+    iptablesOutput(fw, layer, iface, port, ADD, 0);
 }
 
 /**
@@ -342,7 +330,7 @@ iptablesRemoveUdpOutput(virFirewallPtr f
                         const char *iface,
                         int port)
 {
-    iptablesOutput(fw, layer, deletePrivate, iface, port, REMOVE, 0);
+    iptablesOutput(fw, layer, iface, port, REMOVE, 0);
 }
 
 
@@ -382,7 +370,6 @@ static char *iptablesFormatNetwork(virSo
  */
 static int
 iptablesForwardAllowOut(virFirewallPtr fw,
-                        bool pvt,
                         virSocketAddr *netaddr,
                         unsigned int prefix,
                         const char *iface,
@@ -399,8 +386,7 @@ iptablesForwardAllowOut(virFirewallPtr f
     if (physdev && physdev[0])
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
-                           action == ADD ? "--insert" : "--delete",
-                           pvt ? "LIBVIRT_FWO" : "FORWARD",
+                           action == ADD ? "--insert" : "--delete", "FORWARD",
                            "--source", networkstr,
                            "--in-interface", iface,
                            "--out-interface", physdev,
@@ -409,8 +395,7 @@ iptablesForwardAllowOut(virFirewallPtr f
     else
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
-                           action == ADD ? "--insert" : "--delete",
-                           pvt ? "LIBVIRT_FWO" : "FORWARD",
+                           action == ADD ? "--insert" : "--delete", "FORWARD",
                            "--source", networkstr,
                            "--in-interface", iface,
                            "--jump", "ACCEPT",
@@ -439,7 +424,7 @@ iptablesAddForwardAllowOut(virFirewallPt
                            const char *iface,
                            const char *physdev)
 {
-    return iptablesForwardAllowOut(fw, true, netaddr, prefix, iface, physdev, ADD);
+    return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, ADD);
 }
 
 /**
@@ -462,7 +447,7 @@ iptablesRemoveForwardAllowOut(virFirewal
                               const char *iface,
                               const char *physdev)
 {
-    return iptablesForwardAllowOut(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE);
+    return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, REMOVE);
 }
 
 
@@ -471,7 +456,6 @@ iptablesRemoveForwardAllowOut(virFirewal
  */
 static int
 iptablesForwardAllowRelatedIn(virFirewallPtr fw,
-                              bool pvt,
                               virSocketAddr *netaddr,
                               unsigned int prefix,
                               const char *iface,
@@ -488,8 +472,7 @@ iptablesForwardAllowRelatedIn(virFirewal
     if (physdev && physdev[0])
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
-                           action == ADD ? "--insert" : "--delete",
-                           pvt ? "LIBVIRT_FWI" : "FORWARD",
+                           action == ADD ? "--insert" : "--delete", "FORWARD",
                            "--destination", networkstr,
                            "--in-interface", physdev,
                            "--out-interface", iface,
@@ -500,8 +483,7 @@ iptablesForwardAllowRelatedIn(virFirewal
     else
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
-                           action == ADD ? "--insert" : "--delete",
-                           pvt ? "LIBVIRT_FWI" : "FORWARD",
+                           action == ADD ? "--insert" : "--delete", "FORWARD",
                            "--destination", networkstr,
                            "--out-interface", iface,
                            "--match", "conntrack",
@@ -532,7 +514,7 @@ iptablesAddForwardAllowRelatedIn(virFire
                                  const char *iface,
                                  const char *physdev)
 {
-    return iptablesForwardAllowRelatedIn(fw, true, netaddr, prefix, iface, physdev, ADD);
+    return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, ADD);
 }
 
 /**
@@ -555,14 +537,13 @@ iptablesRemoveForwardAllowRelatedIn(virF
                                     const char *iface,
                                     const char *physdev)
 {
-    return iptablesForwardAllowRelatedIn(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE);
+    return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, REMOVE);
 }
 
 /* Allow all traffic destined to the bridge, with a valid network address
  */
 static int
 iptablesForwardAllowIn(virFirewallPtr fw,
-                       bool pvt,
                        virSocketAddr *netaddr,
                        unsigned int prefix,
                        const char *iface,
@@ -579,8 +560,7 @@ iptablesForwardAllowIn(virFirewallPtr fw
     if (physdev && physdev[0])
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
-                           action == ADD ? "--insert" : "--delete",
-                           pvt ? "LIBVIRT_FWI" : "FORWARD",
+                           action == ADD ? "--insert" : "--delete", "FORWARD",
                            "--destination", networkstr,
                            "--in-interface", physdev,
                            "--out-interface", iface,
@@ -589,8 +569,7 @@ iptablesForwardAllowIn(virFirewallPtr fw
     else
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
-                           action == ADD ? "--insert" : "--delete",
-                           pvt ? "LIBVIRT_FWI" : "FORWARD",
+                           action == ADD ? "--insert" : "--delete", "FORWARD",
                            "--destination", networkstr,
                            "--out-interface", iface,
                            "--jump", "ACCEPT",
@@ -618,7 +597,7 @@ iptablesAddForwardAllowIn(virFirewallPtr
                           const char *iface,
                           const char *physdev)
 {
-    return iptablesForwardAllowIn(fw, true, netaddr, prefix, iface, physdev, ADD);
+    return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD);
 }
 
 /**
@@ -641,20 +620,18 @@ iptablesRemoveForwardAllowIn(virFirewall
                              const char *iface,
                              const char *physdev)
 {
-    return iptablesForwardAllowIn(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE);
+    return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE);
 }
 
 static void
 iptablesForwardAllowCross(virFirewallPtr fw,
                           virFirewallLayer layer,
-                          bool pvt,
                           const char *iface,
                           int action)
 {
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
-                       action == ADD ? "--insert" : "--delete",
-                       pvt ? "LIBVIRT_FWX" : "FORWARD",
+                       action == ADD ? "--insert" : "--delete", "FORWARD",
                        "--in-interface", iface,
                        "--out-interface", iface,
                        "--jump", "ACCEPT",
@@ -677,7 +654,7 @@ iptablesAddForwardAllowCross(virFirewall
                              virFirewallLayer layer,
                              const char *iface)
 {
-    iptablesForwardAllowCross(fw, layer, true, iface, ADD);
+    iptablesForwardAllowCross(fw, layer, iface, ADD);
 }
 
 /**
@@ -696,20 +673,18 @@ iptablesRemoveForwardAllowCross(virFirew
                                 virFirewallLayer layer,
                                 const char *iface)
 {
-    iptablesForwardAllowCross(fw, layer, deletePrivate, iface, REMOVE);
+    iptablesForwardAllowCross(fw, layer, iface, REMOVE);
 }
 
 static void
 iptablesForwardRejectOut(virFirewallPtr fw,
                          virFirewallLayer layer,
-                         bool pvt,
                          const char *iface,
                          int action)
 {
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
-                       action == ADD ? "--insert" : "--delete",
-                       pvt ? "LIBVIRT_FWO" : "FORWARD",
+                       action == ADD ? "--insert" : "delete", "FORWARD",
                        "--in-interface", iface,
                        "--jump", "REJECT",
                        NULL);
@@ -730,7 +705,7 @@ iptablesAddForwardRejectOut(virFirewallP
                             virFirewallLayer layer,
                             const char *iface)
 {
-    iptablesForwardRejectOut(fw, layer, true, iface, ADD);
+    iptablesForwardRejectOut(fw, layer, iface, ADD);
 }
 
 /**
@@ -748,21 +723,19 @@ iptablesRemoveForwardRejectOut(virFirewa
                                virFirewallLayer layer,
                                const char *iface)
 {
-    iptablesForwardRejectOut(fw, layer, deletePrivate, iface, REMOVE);
+    iptablesForwardRejectOut(fw, layer, iface, REMOVE);
 }
 
 
 static void
 iptablesForwardRejectIn(virFirewallPtr fw,
                         virFirewallLayer layer,
-                        bool pvt,
                         const char *iface,
                         int action)
 {
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
-                       action == ADD ? "--insert" : "--delete",
-                       pvt ? "LIBVIRT_FWI" : "FORWARD",
+                       action == ADD ? "--insert" : "--delete", "FORWARD",
                        "--out-interface", iface,
                        "--jump", "REJECT",
                        NULL);
@@ -783,7 +756,7 @@ iptablesAddForwardRejectIn(virFirewallPt
                            virFirewallLayer layer,
                            const char *iface)
 {
-    iptablesForwardRejectIn(fw, layer, true, iface, ADD);
+    iptablesForwardRejectIn(fw, layer, iface, ADD);
 }
 
 /**
@@ -801,7 +774,7 @@ iptablesRemoveForwardRejectIn(virFirewal
                               virFirewallLayer layer,
                               const char *iface)
 {
-    iptablesForwardRejectIn(fw, layer, deletePrivate, iface, REMOVE);
+    iptablesForwardRejectIn(fw, layer, iface, REMOVE);
 }
 
 
@@ -810,7 +783,6 @@ iptablesRemoveForwardRejectIn(virFirewal
  */
 static int
 iptablesForwardMasquerade(virFirewallPtr fw,
-                          bool pvt,
                           virSocketAddr *netaddr,
                           unsigned int prefix,
                           const char *physdev,
@@ -849,8 +821,7 @@ iptablesForwardMasquerade(virFirewallPtr
     if (protocol && protocol[0]) {
         rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
                                   "--table", "nat",
-                                  action == ADD ? "--insert" : "--delete",
-                                  pvt ? "LIBVIRT_PRT" : "POSTROUTING",
+                                  action == ADD ? "--insert" : "--delete", "POSTROUTING",
                                   "--source", networkstr,
                                   "-p", protocol,
                                   "!", "--destination", networkstr,
@@ -858,8 +829,7 @@ iptablesForwardMasquerade(virFirewallPtr
     } else {
         rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
                                   "--table", "nat",
-                                  action == ADD ? "--insert" : "--delete",
-                                  pvt ? "LIBVIRT_PRT" : "POSTROUTING",
+                                  action == ADD ? "--insert" : "--delete", "POSTROUTING",
                                   "--source", networkstr,
                                   "!", "--destination", networkstr,
                                   NULL);
@@ -937,8 +907,8 @@ iptablesAddForwardMasquerade(virFirewall
                              virPortRangePtr port,
                              const char *protocol)
 {
-    return iptablesForwardMasquerade(fw, true, netaddr, prefix,
-                                     physdev, addr, port, protocol, ADD);
+    return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
+                                     protocol, ADD);
 }
 
 /**
@@ -963,8 +933,8 @@ iptablesRemoveForwardMasquerade(virFirew
                                 virPortRangePtr port,
                                 const char *protocol)
 {
-    return iptablesForwardMasquerade(fw, deletePrivate, netaddr, prefix,
-                                     physdev, addr, port, protocol, REMOVE);
+    return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
+                                     protocol, REMOVE);
 }
 
 
@@ -973,7 +943,6 @@ iptablesRemoveForwardMasquerade(virFirew
  */
 static int
 iptablesForwardDontMasquerade(virFirewallPtr fw,
-                              bool pvt,
                               virSocketAddr *netaddr,
                               unsigned int prefix,
                               const char *physdev,
@@ -996,8 +965,7 @@ iptablesForwardDontMasquerade(virFirewal
     if (physdev && physdev[0])
         virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
                            "--table", "nat",
-                           action == ADD ? "--insert" : "--delete",
-                           pvt ? "LIBVIRT_PRT" : "POSTROUTING",
+                           action == ADD ? "--insert" : "--delete", "POSTROUTING",
                            "--out-interface", physdev,
                            "--source", networkstr,
                            "--destination", destaddr,
@@ -1006,8 +974,7 @@ iptablesForwardDontMasquerade(virFirewal
     else
         virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
                            "--table", "nat",
-                           action == ADD ? "--insert" : "--delete",
-                           pvt ? "LIBVIRT_PRT" : "POSTROUTING",
+                           action == ADD ? "--insert" : "--delete", "POSTROUTING",
                            "--source", networkstr,
                            "--destination", destaddr,
                            "--jump", "RETURN",
@@ -1037,8 +1004,8 @@ iptablesAddDontMasquerade(virFirewallPtr
                           const char *physdev,
                           const char *destaddr)
 {
-    return iptablesForwardDontMasquerade(fw, true, netaddr, prefix,
-                                         physdev, destaddr, ADD);
+    return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
+                                         ADD);
 }
 
 /**
@@ -1062,14 +1029,13 @@ iptablesRemoveDontMasquerade(virFirewall
                              const char *physdev,
                              const char *destaddr)
 {
-    return iptablesForwardDontMasquerade(fw, deletePrivate, netaddr, prefix,
-                                         physdev, destaddr, REMOVE);
+    return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
+                                         REMOVE);
 }
 
 
 static void
 iptablesOutputFixUdpChecksum(virFirewallPtr fw,
-                             bool pvt,
                              const char *iface,
                              int port,
                              int action)
@@ -1081,8 +1047,7 @@ iptablesOutputFixUdpChecksum(virFirewall
 
     virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
                        "--table", "mangle",
-                       action == ADD ? "--insert" : "--delete",
-                       pvt ? "LIBVIRT_PRT" : "POSTROUTING",
+                       action == ADD ? "--insert" : "--delete", "POSTROUTING",
                        "--out-interface", iface,
                        "--protocol", "udp",
                        "--destination-port", portstr,
@@ -1106,7 +1071,7 @@ iptablesAddOutputFixUdpChecksum(virFirew
                                 const char *iface,
                                 int port)
 {
-    iptablesOutputFixUdpChecksum(fw, true, iface, port, ADD);
+    iptablesOutputFixUdpChecksum(fw, iface, port, ADD);
 }
 
 /**
@@ -1123,5 +1088,5 @@ iptablesRemoveOutputFixUdpChecksum(virFi
                                    const char *iface,
                                    int port)
 {
-    iptablesOutputFixUdpChecksum(fw, deletePrivate, iface, port, REMOVE);
+    iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE);
 }
Index: libvirt-5.1.0/src/util/viriptables.h
===================================================================
--- libvirt-5.1.0.orig/src/util/viriptables.h
+++ libvirt-5.1.0/src/util/viriptables.h
@@ -26,8 +26,6 @@
 
 int              iptablesSetupPrivateChains      (void);
 
-void             iptablesSetDeletePrivate        (bool pvt);
-
 void             iptablesAddTcpInput             (virFirewallPtr fw,
                                                   virFirewallLayer layer,
                                                   const char *iface,
Index: libvirt-5.1.0/tests/networkxml2firewalldata/nat-default-linux.args
===================================================================
--- libvirt-5.1.0.orig/tests/networkxml2firewalldata/nat-default-linux.args
+++ libvirt-5.1.0/tests/networkxml2firewalldata/nat-default-linux.args
@@ -1,63 +1,63 @@
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_OUT \
+--insert OUTPUT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert LIBVIRT_FWX \
+--insert FORWARD \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
 --destination 192.168.122.0/24 \
 --out-interface virbr0 \
 --match conntrack \
@@ -65,13 +65,13 @@ iptables \
 --jump ACCEPT
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 '!' \
 --destination 192.168.122.0/24 \
 --jump MASQUERADE
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 \
 -p udp '!' \
 --destination 192.168.122.0/24 \
@@ -79,7 +79,7 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 \
 -p tcp '!' \
 --destination 192.168.122.0/24 \
@@ -87,19 +87,19 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 iptables \
 --table mangle \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
Index: libvirt-5.1.0/tests/networkxml2firewalldata/nat-ipv6-linux.args
===================================================================
--- libvirt-5.1.0.orig/tests/networkxml2firewalldata/nat-ipv6-linux.args
+++ libvirt-5.1.0/tests/networkxml2firewalldata/nat-ipv6-linux.args
@@ -1,100 +1,100 @@
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_OUT \
+--insert OUTPUT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert LIBVIRT_FWX \
+--insert FORWARD \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
 --in-interface virbr0 \
 --jump REJECT
 ip6tables \
 --table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
 --out-interface virbr0 \
 --jump REJECT
 ip6tables \
 --table filter \
---insert LIBVIRT_FWX \
+--insert FORWARD \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 547 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
 --destination 192.168.122.0/24 \
 --out-interface virbr0 \
 --match conntrack \
@@ -102,13 +102,13 @@ iptables \
 --jump ACCEPT
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 '!' \
 --destination 192.168.122.0/24 \
 --jump MASQUERADE
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 \
 -p udp '!' \
 --destination 192.168.122.0/24 \
@@ -116,7 +116,7 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 \
 -p tcp '!' \
 --destination 192.168.122.0/24 \
@@ -124,31 +124,31 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 ip6tables \
 --table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
 --source 2001:db8:ca2:2::/64 \
 --in-interface virbr0 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
 --destination 2001:db8:ca2:2::/64 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table mangle \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
Index: libvirt-5.1.0/tests/networkxml2firewalldata/nat-many-ips-linux.args
===================================================================
--- libvirt-5.1.0.orig/tests/networkxml2firewalldata/nat-many-ips-linux.args
+++ libvirt-5.1.0/tests/networkxml2firewalldata/nat-many-ips-linux.args
@@ -1,63 +1,63 @@
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_OUT \
+--insert OUTPUT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert LIBVIRT_FWX \
+--insert FORWARD \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
 --destination 192.168.122.0/24 \
 --out-interface virbr0 \
 --match conntrack \
@@ -65,13 +65,13 @@ iptables \
 --jump ACCEPT
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 '!' \
 --destination 192.168.122.0/24 \
 --jump MASQUERADE
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 \
 -p udp '!' \
 --destination 192.168.122.0/24 \
@@ -79,7 +79,7 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 \
 -p tcp '!' \
 --destination 192.168.122.0/24 \
@@ -87,25 +87,25 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 iptables \
 --table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
 --source 192.168.128.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
 --destination 192.168.128.0/24 \
 --out-interface virbr0 \
 --match conntrack \
@@ -113,13 +113,13 @@ iptables \
 --jump ACCEPT
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.128.0/24 '!' \
 --destination 192.168.128.0/24 \
 --jump MASQUERADE
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.128.0/24 \
 -p udp '!' \
 --destination 192.168.128.0/24 \
@@ -127,7 +127,7 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.128.0/24 \
 -p tcp '!' \
 --destination 192.168.128.0/24 \
@@ -135,25 +135,25 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.128.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.128.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 iptables \
 --table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
 --source 192.168.150.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
 --destination 192.168.150.0/24 \
 --out-interface virbr0 \
 --match conntrack \
@@ -161,13 +161,13 @@ iptables \
 --jump ACCEPT
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.150.0/24 '!' \
 --destination 192.168.150.0/24 \
 --jump MASQUERADE
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.150.0/24 \
 -p udp '!' \
 --destination 192.168.150.0/24 \
@@ -175,7 +175,7 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.150.0/24 \
 -p tcp '!' \
 --destination 192.168.150.0/24 \
@@ -183,19 +183,19 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.150.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.150.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 iptables \
 --table mangle \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
Index: libvirt-5.1.0/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
===================================================================
--- libvirt-5.1.0.orig/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
+++ libvirt-5.1.0/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
@@ -1,100 +1,100 @@
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_OUT \
+--insert OUTPUT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert LIBVIRT_FWX \
+--insert FORWARD \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
 --in-interface virbr0 \
 --jump REJECT
 ip6tables \
 --table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
 --out-interface virbr0 \
 --jump REJECT
 ip6tables \
 --table filter \
---insert LIBVIRT_FWX \
+--insert FORWARD \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 547 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
 --destination 192.168.122.0/24 \
 --out-interface virbr0 \
 --match conntrack \
@@ -102,13 +102,13 @@ iptables \
 --jump ACCEPT
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 '!' \
 --destination 192.168.122.0/24 \
 --jump MASQUERADE
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 \
 -p udp '!' \
 --destination 192.168.122.0/24 \
@@ -116,7 +116,7 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 \
 -p tcp '!' \
 --destination 192.168.122.0/24 \
@@ -124,25 +124,25 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 ip6tables \
 --table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
 --source 2001:db8:ca2:2::/64 \
 --in-interface virbr0 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
 --destination 2001:db8:ca2:2::/64 \
 --out-interface virbr0 \
 --jump ACCEPT
Index: libvirt-5.1.0/tests/networkxml2firewalldata/nat-tftp-linux.args
===================================================================
--- libvirt-5.1.0.orig/tests/networkxml2firewalldata/nat-tftp-linux.args
+++ libvirt-5.1.0/tests/networkxml2firewalldata/nat-tftp-linux.args
@@ -1,70 +1,70 @@
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_OUT \
+--insert OUTPUT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 69 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert LIBVIRT_FWX \
+--insert FORWARD \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
 --destination 192.168.122.0/24 \
 --out-interface virbr0 \
 --match conntrack \
@@ -72,13 +72,13 @@ iptables \
 --jump ACCEPT
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 '!' \
 --destination 192.168.122.0/24 \
 --jump MASQUERADE
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 \
 -p udp '!' \
 --destination 192.168.122.0/24 \
@@ -86,7 +86,7 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 \
 -p tcp '!' \
 --destination 192.168.122.0/24 \
@@ -94,19 +94,19 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
 --table nat \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --source 192.168.122.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 iptables \
 --table mangle \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
Index: libvirt-5.1.0/tests/networkxml2firewalldata/route-default-linux.args
===================================================================
--- libvirt-5.1.0.orig/tests/networkxml2firewalldata/route-default-linux.args
+++ libvirt-5.1.0/tests/networkxml2firewalldata/route-default-linux.args
@@ -1,69 +1,69 @@
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_OUT \
+--insert OUTPUT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_INP \
+--insert INPUT \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert LIBVIRT_FWX \
+--insert FORWARD \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_FWO \
+--insert FORWARD \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert LIBVIRT_FWI \
+--insert FORWARD \
 --destination 192.168.122.0/24 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table mangle \
---insert LIBVIRT_PRT \
+--insert POSTROUTING \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \